Avast deactivated an element in its suite that, ironically, posed a significant security risk.
The software manufacturer disabled it JavaScript interpreter in its toolbox, when Tavis Ormandy from Google Project Zero and his colleagues warned the company to "pack up" imperfections in the code.
According to Avast, Ormandy discovered one vulnerability that allowed remote code execution in the software, the details of which were not publicly disclosed.
Five days later, Google released a shell that could provide more information about Avast's JavaScript vulnerability to those interested in evaluating the suite protectionfrom viruses.
He also revealed that if the attackers were able to exploit any holes in Avast's JS on the victim computer, they could run malicious applications on that computer with system-admin privileges.
It should be noted that Ormandy did not reveal specifically errorthe.
A few days after the release of the analysis tool, the company chose to completely remove the JavaScript emulator. According to the company, its removal will not significantly affect the suite's ability to detect malware. The rapid action of the company was applauded by Ormandy.
A praise from the security community for Avast is a very difficult thing to come by space. After the data sale scandal, the company found itself in the spotlight again when it was revealed that the AntiTrack tool contained errors which could allow man-in-the-middle attacks to monitor supposedly secure connections.
